diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes deleted file mode 100644 index 665b10e8..00000000 --- a/.git-crypt/.gitattributes +++ /dev/null @@ -1,4 +0,0 @@ -# Do not edit this file. To specify the files to encrypt, create your own -# .gitattributes file in the directory where your files are. -* !filter !diff -*.gpg binary diff --git a/.git-crypt/keys/default/0/B6085811FE3A32105E6BBE8991C7255A9B0557E4.gpg b/.git-crypt/keys/default/0/B6085811FE3A32105E6BBE8991C7255A9B0557E4.gpg deleted file mode 100644 index 16907dbb..00000000 Binary files a/.git-crypt/keys/default/0/B6085811FE3A32105E6BBE8991C7255A9B0557E4.gpg and /dev/null differ diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index cd93a0da..00000000 --- a/.gitattributes +++ /dev/null @@ -1,4 +0,0 @@ -# To add a new file: -# /secret/file filter=git-crypt diff=git-crypt -**/*.secret.nix filter=git-crypt diff=git-crypt -**/secret.nix filter=git-crypt diff=git-crypt diff --git a/README.md b/README.md index ccb31df2..a4c62ab0 100644 --- a/README.md +++ b/README.md @@ -2,19 +2,11 @@ ## Secrets -There are two types of secrets in this repository. Secret secrets, and -secret configuration. - -Secret secrets should never be world-readable, even to users who are +Secrets should never be world-readable, even to users who are logged in to one of the hosts managed by this configuration. These are generally managed by agenix, allowing them to still be put in the nix store. -Secret configuration is generally more security through obscurity -(e.g. some services that I run that I don't want the whole world to -know what ports they run on). These are managed with git-crypt and are -files that end in `secret.nix`. - ## Setting up a new dev environment * Create a new `*.nix` file in the shells directory that describes the environment (this is the hard part). diff --git a/flake.nix b/flake.nix index aa14de9e..10e8b296 100644 --- a/flake.nix +++ b/flake.nix @@ -65,15 +65,17 @@ lasting-integrity.modules = [ ./machines/lasting-integrity ]; urithiru.modules = [ ./machines/urithiru ]; }; - outputsBuilder = channels: let pkgs = channels.nixpkgs; in { - packages = customPackages pkgs.callPackage; - devShell = pkgs.mkShell { - buildInputs = [ - pkgs.nixpkgs-fmt - (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch") - agenix.defaultPackage.x86_64-linux - ]; + outputsBuilder = channels: + let pkgs = channels.nixpkgs; in + { + packages = customPackages pkgs.callPackage; + devShell = pkgs.mkShell { + buildInputs = [ + pkgs.nixpkgs-fmt + (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch") + agenix.defaultPackage.x86_64-linux + ]; + }; }; - }; }; } diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 84abd8aa..dc111527 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -1,10 +1,7 @@ { pkgs, ... }: { - imports = [ - ./hardware.nix - ./secret.nix - ]; + imports = [ ./hardware.nix ]; time.timeZone = "Europe/Berlin"; @@ -68,11 +65,12 @@ client_max_body_size 10M; proxy_set_header X-Forwarded-Ssl on; ''; - }; in { - "/_matrix" = matrixRedirect; - "/.well-known/matrix" = matrixRedirect; - "/".return = "307 https://www.vanpetegem.me$request_uri"; - }; + }; in + { + "/_matrix" = matrixRedirect; + "/.well-known/matrix" = matrixRedirect; + "/".return = "307 https://www.vanpetegem.me$request_uri"; + }; }; } { fqdn = "www.vanpetegem.me"; } diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix index 5e1307da..632a4ca9 100644 --- a/machines/urithiru/default.nix +++ b/machines/urithiru/default.nix @@ -1,10 +1,7 @@ { lib, pkgs, nixosConfigurations, ... }: { - imports = [ - ./hardware.nix - ./secret.nix - ]; + imports = [ ./hardware.nix ]; time.timeZone = "Europe/Berlin"; diff --git a/modules/services/data-access/config.nix b/modules/services/data-access/config.nix index 417f2af3..f31a159d 100644 --- a/modules/services/data-access/config.nix +++ b/modules/services/data-access/config.nix @@ -7,7 +7,9 @@ description = "Data Access"; uid = 1000; group = "users"; + passwordFile = "/run/secrets/password_file"; }; + environment.systemPackages = [ pkgs.rsync pkgs.mktorrent (pkgs.writeShellScriptBin "create_torrent" ". /run/secrets/create_torrent") ]; security.sudo.enable = false; services.openssh = { enable = true; @@ -16,5 +18,6 @@ { bits = 4096; path = "/run/secrets/ssh_host_rsa_key"; type = "rsa"; } { path = "/run/secrets/ssh_host_ed25519_key"; type = "ed25519"; } ]; + authorizedKeysFiles = [ "/run/secrets/authorized_keys" ]; }; } diff --git a/modules/services/data-access/config.secret.nix b/modules/services/data-access/config.secret.nix deleted file mode 100644 index 76e90491..00000000 Binary files a/modules/services/data-access/config.secret.nix and /dev/null differ diff --git a/modules/services/data-access/default.nix b/modules/services/data-access/default.nix index 40137de5..5ee0530f 100644 --- a/modules/services/data-access/default.nix +++ b/modules/services/data-access/default.nix @@ -1,8 +1,6 @@ { config, lib, ... }: { - imports = [ ./secret.nix ]; - options.chvp.services.data-access.enable = lib.mkOption { default = false; example = true; @@ -32,6 +30,8 @@ ]; }; + networking.firewall.allowedTCPPorts = [ 2002 ]; + containers.data-access = { ephemeral = true; autoStart = true; @@ -45,13 +45,18 @@ isReadOnly = true; }; }; + forwardPorts = [{ + containerPort = 22; + hostPort = 2002; + protocol = "tcp"; + }]; privateNetwork = true; hostAddress = "192.168.100.10"; hostAddress6 = "fc00::1"; localAddress = "192.168.100.11"; localAddress6 = "fc00::2"; config = { ... }: { - imports = [ ./config.nix ./config.secret.nix ]; + imports = [ ./config.nix ]; }; }; @@ -59,6 +64,15 @@ age.secrets."data-access/ssh_host_rsa_key.pub".file = ../../../secrets/data-access/ssh_host_rsa_key.pub.age; age.secrets."data-access/ssh_host_ed25519_key".file = ../../../secrets/data-access/ssh_host_ed25519_key.age; age.secrets."data-access/ssh_host_ed25519_key.pub".file = ../../../secrets/data-access/ssh_host_ed25519_key.pub.age; + age.secrets."data-access/password_file".file = ../../../secrets/data-access/password_file.age; + age.secrets."data-access/authorized_keys" = { + file = ../../../secrets/data-access/authorized_keys.age; + owner = "charlotte"; + }; + age.secrets."data-access/create_torrent" = { + file = ../../../secrets/data-access/create_torrent.age; + owner = "charlotte"; + }; age.secrets."passwords/services/data-basic-auth" = { file = ../../../secrets/passwords/services/data-basic-auth.age; owner = "nginx"; diff --git a/modules/services/data-access/secret.nix b/modules/services/data-access/secret.nix deleted file mode 100644 index f4d7accb..00000000 Binary files a/modules/services/data-access/secret.nix and /dev/null differ diff --git a/modules/work/vpn/default.nix b/modules/work/vpn/default.nix index 7c02e7d3..5bff37cd 100644 --- a/modules/work/vpn/default.nix +++ b/modules/work/vpn/default.nix @@ -1,10 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ - ./secret.nix - ]; - options = { chvp.work.vpn.enable = lib.mkOption { default = false; @@ -17,10 +13,16 @@ ugent-global-vpn = { after = [ "network.target" ]; conflicts = [ "ugent-local-vpn.service" ]; + path = [ pkgs.sshuttle pkgs.openssh pkgs.bash ]; + environment = { PASSWORD_FILE = config.age.secrets."passwords/ugent-vpn".path; }; + serviceConfig.ExecStart = config.age.secrets."files/programs/vpn/global".path; }; ugent-local-vpn = { after = [ "network.target" ]; conflicts = [ "ugent-global-vpn.service" ]; + path = [ pkgs.sshuttle pkgs.openssh pkgs.bash ]; + environment = { PASSWORD_FILE = config.age.secrets."passwords/ugent-vpn".path; }; + serviceConfig.ExecStart = config.age.secrets."files/programs/vpn/local".path; }; }; security.polkit.extraConfig = '' @@ -34,5 +36,13 @@ }); ''; age.secrets."passwords/ugent-vpn".file = ../../../secrets/passwords/ugent-vpn.age; + age.secrets."files/programs/vpn/local" = { + file = ../../../secrets/files/programs/vpn/local.age; + mode = "0500"; + }; + age.secrets."files/programs/vpn/global" = { + file = ../../../secrets/files/programs/vpn/global.age; + mode = "0500"; + }; }; } diff --git a/modules/work/vpn/secret.nix b/modules/work/vpn/secret.nix deleted file mode 100644 index 36a73213..00000000 Binary files a/modules/work/vpn/secret.nix and /dev/null differ diff --git a/secrets.nix b/secrets.nix index 19e700e5..c51d65e6 100644 --- a/secrets.nix +++ b/secrets.nix @@ -33,6 +33,8 @@ in "secrets/passwords/ugent-mount-credentials.age".publicKeys = laptops ++ users; "secrets/passwords/ugent-vpn.age".publicKeys = laptops ++ users; + "secrets/files/programs/vpn/local.age".publicKeys = laptops ++ users; + "secrets/files/programs/vpn/global.age".publicKeys = laptops ++ users; "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users; @@ -47,7 +49,7 @@ in "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users; - + "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; @@ -58,4 +60,7 @@ in "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/authorized_keys.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/password_file.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/create_torrent.age".publicKeys = [ urithiru ] ++ users; } diff --git a/secrets/data-access/authorized_keys.age b/secrets/data-access/authorized_keys.age new file mode 100644 index 00000000..a3f68bdb Binary files /dev/null and b/secrets/data-access/authorized_keys.age differ diff --git a/secrets/data-access/create_torrent.age b/secrets/data-access/create_torrent.age new file mode 100644 index 00000000..4d7837a2 Binary files /dev/null and b/secrets/data-access/create_torrent.age differ diff --git a/secrets/data-access/password_file.age b/secrets/data-access/password_file.age new file mode 100644 index 00000000..2fa0543d --- /dev/null +++ b/secrets/data-access/password_file.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 9PfEBQ Vq16b9bDymjNwwJlPiHBthxD50YeprXBPrRy9wNd2AA +FjiyQbWTcNNVQk8E9iXP2TC8TuSXTfoFYzF3Y72ry5k +-> ssh-ed25519 s9rb8g 7puH9ds24smZcxJECsBGEC8IZ5q9EurHi6lV2oNxFAE +eXG6/lgAfHBzY7Rm19aHl6zf2HanjoaFV7YezclJQhE +-> ssh-ed25519 yad4VQ F5YiA+LSeCA9qPjstZrPXgllKs3IxDsA/ha+ZvNTXTc +po/JNstnZ6ukqR3T3djXgVYJqSGFEeDwOkbQqbluPx0 +-> R>xz]Mg-grease +nYwGW+ZzUW4N4tKNwB3kkTXO8CAvmlNLIE79LLUzHkRt04ovwgS9G22MqpoUYn6N +rY9IAdecPENYkqIqVd7OJRtTcrmb311NXcds8G6f+x/r6dcu8lexERE8k1Q +--- uP24/LXQHQSwdFDEyBVMpTMVoFasQGHRz1XEAWyUZ4I +ze/MYT%~F`X!v*@AG@iQanՋ|p`2"%7xrixQǣÕnʤu@g" +*]?z>ρl%7w4fTO.Rݓ \ No newline at end of file diff --git a/secrets/files/programs/vpn/global.age b/secrets/files/programs/vpn/global.age new file mode 100644 index 00000000..6afb6298 --- /dev/null +++ b/secrets/files/programs/vpn/global.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 umFZoA Zbf1eXyTxHEkOCJfYVt08sQcrHPmH7xzbgbNSJlefyw +GhUZ8pv+W4iJDu1o8fHVbCgAT6uUytDAktVTZJeUMBY +-> ssh-ed25519 aUd9Ng xr+E/JROUvOZ4d+GDThxzMke+XcfgNUqDxCrDa7zGnU +JrWtA/U1VAKPdHRyIw5EZ98zJnlWfEqml/aPD22//sM +-> ssh-ed25519 s9rb8g CtPl56xLOHRL6mLCXfiSrHQ/TnzTNxwCybW8i10sbHI +g2XUxE1H/MOXzqcadXEBXAh+eQVxOi60aZq0Bvwm0jk +-> ssh-ed25519 yad4VQ YeECur+U3OXUYXv7iLcDSGLhssoY05oQXNSJlyR9KGk +BbLCcjImDO8jEMYJtYttlUJr6yY2P+RyRsqIGGrZXwA +-> @h@-grease FW*P0 u